1708c98e9211c6c71738329ed2e01a23e84eaa04
[pve-firewall.git] / debian / example / cluster.fw
1 [OPTIONS]
2
3 # enable firewall (cluster wide setting, default is disabled)
4 enable: 1
5
6 # default policy for host rules
7 policy_in: DROP
8 policy_out: ACCEPT
9
10 [ALIASES]
11
12 myserveralias 10.0.0.111
13 mynetworkalias 10.0.0.0/24
14
15 [RULES]
16
17 IN SSH(ACCEPT) vmbr0
18
19 [group group1]
20
21 IN ACCEPT - - tcp 22 -
22 OUT ACCEPT - - tcp 80 -
23 OUT ACCEPT - - icmp - -
24
25 [group group3]
26
27 IN ACCEPT 10.0.0.1
28 IN ACCEPT 10.0.0.1-10.0.0.10
29 IN ACCEPT 10.0.0.1,10.0.0.2,10.0.0.3
30 IN ACCEPT +mynetgroup
31 IN ACCEPT myserveralias
32
33
34 [ipset myipset]
35
36 192.168.0.1 #mycomment
37 172.16.0.10
38 192.168.0.0/24
39 ! 10.0.0.0/8 #nomatch - needs kernel 3.7 or newer
40 mynetworkalias
41
42 #global ipset blacklist
43 [ipset blacklist]
44
45 10.0.0.8
46 192.168.0.0/24